docs: create DocumentationStrategy/CompliancePerspective
This commit is contained in:
John Smith
parent
fd8b121894
commit
521831dbf3
132
DocumentationStrategy/CompliancePerspective.md
Normal file
132
DocumentationStrategy/CompliancePerspective.md
Normal file
@ -0,0 +1,132 @@
|
|||||||
|
---
|
||||||
|
title: Compliance Perspective
|
||||||
|
description:
|
||||||
|
published: true
|
||||||
|
date: 2025-04-05T01:50:24.026Z
|
||||||
|
tags:
|
||||||
|
editor: markdown
|
||||||
|
dateCreated: 2025-04-05T01:50:24.026Z
|
||||||
|
---
|
||||||
|
|
||||||
|
# ✅ Compliance-Ready Documentation Strategy
|
||||||
|
|
||||||
|
### For: Janusian Infra & Knowledge Stack
|
||||||
|
**Audience:** DevOps, Infra, Security, Docs
|
||||||
|
**Version:** v1
|
||||||
|
**Last Reviewed:** 2025-04-05
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🧭 Overview
|
||||||
|
|
||||||
|
This document outlines how our documentation stack (Wiki.js + Git + frontmatter) can be hardened for **compliance-readiness**, enabling:
|
||||||
|
|
||||||
|
- Granular access control
|
||||||
|
- Immutable audit logs
|
||||||
|
- Identity & access management (IAM)
|
||||||
|
- Policy enforcement for documentation changes
|
||||||
|
- Integration with external logging and monitoring
|
||||||
|
|
||||||
|
This helps us align with frameworks like **SOC 2**, **ISO 27001**, **GDPR**, and partially with **HIPAA**.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🏗️ System Components
|
||||||
|
|
||||||
|
| Component | Role |
|
||||||
|
|---------------|-------------------------------------|
|
||||||
|
| Wiki.js | Primary editing & browsing interface |
|
||||||
|
| Git (GitHub) | Backend version control, history |
|
||||||
|
| YAML Frontmatter | Structured metadata for compliance labeling |
|
||||||
|
| GitHub Actions | Policy enforcement & automation |
|
||||||
|
| SSO (e.g., Google/Okta) | Identity management |
|
||||||
|
| Monitoring (optional) | Access log visibility |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🔐 1. Access Control & Identity Management
|
||||||
|
|
||||||
|
- **Use Wiki.js Auth Providers**:
|
||||||
|
- Integrate OAuth2, SAML, or LDAP (Google Workspace, Okta, Azure AD).
|
||||||
|
- Enable **SSO with MFA**.
|
||||||
|
- Apply **page-level permissions** (reader, editor, admin).
|
||||||
|
- **Group users** by roles (e.g., `docs_editor`, `infra_admin`, `read_only`).
|
||||||
|
- **Map Git permissions** to teams for repo access (e.g., `docs/` path in GitHub).
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🧾 2. Immutable Audit Logs
|
||||||
|
|
||||||
|
### Wiki.js Logs:
|
||||||
|
- Enable **Audit Logging** to track:
|
||||||
|
- Page views
|
||||||
|
- Edits and deletions
|
||||||
|
- Permission changes
|
||||||
|
- Login attempts
|
||||||
|
|
||||||
|
### Git Logs:
|
||||||
|
- Every doc change is:
|
||||||
|
- **Signed** (optional via `git commit -S`)
|
||||||
|
- Timestamped and traceable
|
||||||
|
- Stored in Git history (cryptographically verifiable)
|
||||||
|
|
||||||
|
📌 **Optional:** Use [OpenTimestamps](https://opentimestamps.org/) or [Sigstore](https://www.sigstore.dev/) to append public, verifiable timestamps.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 📜 3. Policy Enforcement
|
||||||
|
|
||||||
|
- Define **GitHub CODEOWNERS** for all Markdown documentation:
|
||||||
|
- Require approvals from specific teams (e.g., `docs-core`, `compliance`).
|
||||||
|
- Implement CI checks:
|
||||||
|
- Ensure `classification`, `relevant_for`, and `last_reviewed` exist in frontmatter.
|
||||||
|
- Auto-tag missing fields or block merges.
|
||||||
|
- Configure **Wiki.js page drafts + approval plugins** for reviewable content.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 📊 4. Monitoring & Alerting
|
||||||
|
|
||||||
|
- Pipe Wiki.js audit logs to:
|
||||||
|
- ELK Stack
|
||||||
|
- Datadog
|
||||||
|
- Prometheus + Grafana
|
||||||
|
|
||||||
|
Set up alerts for:
|
||||||
|
- Unauthorized access attempts
|
||||||
|
- Changes to classified or sensitive pages
|
||||||
|
- Admin permission changes
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🧩 5. Compliance Frameworks We Could Map To
|
||||||
|
|
||||||
|
| Compliance | Support Level | Notes |
|
||||||
|
|------------|----------------|-------|
|
||||||
|
| **SOC 2** | ✅ Full coverage for Change Mgmt, IAM, Logging |
|
||||||
|
| **ISO 27001** | ✅ Aligns with Access Control & Audit Domains |
|
||||||
|
| **GDPR** | ✅ Log access to personal data, support deletion requests |
|
||||||
|
| **HIPAA** | ⚠️ Partial — not medical record-safe, but audit & access logs supported |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🚀 Next Steps
|
||||||
|
|
||||||
|
- [ ] Enable Wiki.js Audit Log to PostgreSQL or external logger
|
||||||
|
- [ ] Enforce Git commit signing for doc repo
|
||||||
|
- [ ] Add CODEOWNERS and review workflows
|
||||||
|
- [ ] Set up GitHub Actions to lint frontmatter
|
||||||
|
- [ ] Route logs to Grafana or Datadog for alerting
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🔍 References
|
||||||
|
|
||||||
|
- [Wiki.js Auth Providers](https://docs.requarks.io/authentication)
|
||||||
|
- [Git Signed Commits](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
|
||||||
|
- [OpenTimestamps](https://opentimestamps.org/)
|
||||||
|
- [Sigstore](https://www.sigstore.dev/)
|
||||||
|
- [SOC 2 Criteria](https://www.aicpa.org/resources/article/trust-services-criteria)
|
||||||
|
- [ISO 27001 Controls](https://www.iso.org/isoiec-27001-information-security.html)
|
||||||
|
|
||||||
|
---
|
||||||
Loading…
x
Reference in New Issue
Block a user